[cabfpub] The Shappening: freestart collisions for SHA-1 (was Re: Ballot 152 - Issuance of SHA-1 certificates through 2016)
erwann.abalea at opentrust.com
Thu Oct 8 03:30:33 MST 2015
Was just reading it. The complete (80 rounds) SHA1 compression function is broken.
Some could argue that we still have a small security margin because of the choice of IV, or the difference in work factor between collision and choosen-prefix collision, etc.
It took too many years to get rid of MD5 (at least 7 years after collision were publicly demonstrated). Let’s do things better with SHA1.
> Le 8 oct. 2015 à 12:16, Rob Stradling <rob.stradling at comodo.com> a écrit :
> Is Ballot 152 dead yet?
> "Our recommendations
> We recommend that SHA-1 based signatures should be marked as unsafe much
> sooner than prescribed by current international policy. Even though
> freestart collisions do not directly lead to actual collisions for
> SHA-1, in our case, the experimental data we obtained in the process
> enable significantly more accurate projections on the real-world cost of
> actual collisions for SHA-1, compared to previous projections.
> Concretely, we estimate the SHA-1 collision cost today (i.e., Fall 2015)
> between 75K$ and 120K$ renting Amazon EC2 cloud computing over a few
> months. By contrast, security expert Bruce Schneier previously projected
> the SHA-1 collision cost to be ~173K$ by 2018. Note that he deems this
> to be within the resources of a criminal syndicate. Large corporations
> and governments may possess even greater resources and may not require
> Amazon EC2. Microsoft, Google and Mozilla have all announced that their
> respective browsers will stop accepting SHA-1 based SSL certificates by
> 2017 (and that SHA-1-based certificates should not be issued after
> 2015). In conclusion, our estimates imply SHA-1 collisions to be now
> (Fall 2015) within the resources of criminal syndicates, two years
> earlier than previously expected and one year before SHA-1 will be
> marked as unsafe in modern Internet browsers. This motivates our
> recommendations for industry standard SHA-1 to be retracted as soon as
> possible. With our new cost projections in mind, we strongly and
> urgently recommend against a recent proposal to extend the issuance of
> SHA-1 certificates with a year in the CAB/forum (discussion closes
> October 9 2015, vote closes October 16)."
> On 06/10/15 16:23, Dean Coclin wrote:
>> Yes, Ryan is correct. Nonetheless, I am going to add it to the agenda
>> for this week’s meeting.
>> *From:*public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>> *On Behalf Of *Ryan Sleevi
>> *Sent:* Tuesday, October 06, 2015 9:25 AM
>> *To:* Jeremy Rowley
>> *Cc:* Rick Andrews; public at cabforum.org
>> *Subject:* Re: [cabfpub] Ballot 152 - Issuance of SHA-1 certificates
>> through 2016
>> On Mon, Oct 5, 2015 at 10:02 PM, Jeremy Rowley
>> <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com>> wrote:
>> Also - a point of order on this, but I thought all ballots needed one
>> telephone call or face to face before they could be started? Did that
>> That was never required by the bylaws. While a good idea to gauge as a
>> bellwether for the likeliness of the ballot to succeed, any member may
>> propose a ballot at any time, so long as requisite number of co-sponsors
>> is found, adequate time is given for review and voting, and that review
>> and voting is clearly indicated in the ballot.
>> Public mailing list
>> Public at cabforum.org
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> Office Tel: +44.(0)1274.730505
> Office Fax: +44.(0)1274.730909
> COMODO CA Limited, Registered in England No. 04058690
> Registered Office:
> 3rd Floor, 26 Office Village, Exchange Quay,
> Trafford Road, Salford, Manchester M5 3EQ
> This e-mail and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this email in error please notify the
> sender by replying to the e-mail containing this attachment. Replies to
> this email may be monitored by COMODO for operational or business
> reasons. Whilst every endeavour is taken to ensure that e-mails are free
> from viruses, no liability can be accepted and the recipient is
> requested to use their own virus checking software.
> Public mailing list
> Public at cabforum.org
More information about the Public